Carphone Warehouse Fined £400k After 2015 Data Breach
ICO issues one of the largest fines ever to telecommunications giant Carphone Warehouse over cyber security breach.
Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) after a data breach in 2015 allowed hackers to gain unauthorised access to the personal data of over three million customers and 1,000 employees.
Between July and August of 2015, Carphone Warehouse’s website was subject to an external cyber attack which originated from an IP address in Vietnam. Using Nikto, a basic tool used to scan for security vulnerabilities and mis-configurations, the hackers were able to access their extensive database.
The ICO’s report states that the Carphone Warehouse’s system was vulnerable due to a “considerably out of date” WordPress installation and had no Web Application Firewall (WAF). ICO commissioner, Elizabeth Denham also noted that there were inadequate measures in place to identify and purge Carphone Warehouse’s historic data. The ICO considered this to be a serious contravention of Principle 7 of the Data Protection Act 1998.
Staff only became aware of the attack 15 days after the event but by then hackers had accessed customer information such as transaction history, full name, date of birth, email, password, phone number and current address.
Carphone Warehouse employee data such as car registration numbers, home postcode, work email, personal and work contact details as well as line manager information was also compromised. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.
Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
A statement from Carphone Warehouse said: “Since the attack in 2015, we have worked extensively with cybersecurity experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused.”
From 25 May 2018, the law is set to get more stringent as the General Data Protection Regulation (GDPR) comes into effect. It is hoped that this move will help tackle the increasing cybersecurity threat within the UK.
Had this hack happened under the new GDPR legislation Carphone Warehouse could have potentially been fined €20 million or even forfeited 4% of their global turnover, which would have amounted to £195m. With the potential for heftier fines the ICO wants to make data security a top priority for companies and to avoid such situations occurring again.